ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

1. Defense in DepthMichael A. DaGrossa - CISSP, CEH, CCEManaging Partner Business Risk mike@ion-e.comProprietary and Confidential

2. Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.—Sun Tzu Proprietary and Confidential

3. Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected

4. Definition : DIDDefined by the Defense Information Security Agency:

5. the Defense in Depth approach builds mutually supporting layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another. Does your Business Look like thisProprietary and Confidential

6. The general characteristics of defensive operations are: To understand the enemy

7. See the battlefield

8. Use the defenders’ advantages

9. Concentrate at critical times and places

10. Conduct counter reconnaissance and counterattacks

11. Coordinate critical defense assets

12. Balance base security with political and legal constraints

13. And know the law of war and rules of engagement.Proprietary and Confidential

14. Why being compliant does not equal secure?Why secure does not equal compliant?Proprietary and Confidential

15. PCI-Compliant To Name a FewTJ MaxxHeartlandHannafordProprietary and Confidential

16. HIPAA-Compliant To Name a FewAV Med Health PlansKinetic ConceptsUniversity of PittsburghProprietary and Confidential

17. FDIC-FFIEC GLBA BITS To Name a FewINGEducation Credit Management CorpLincoln National CorpProprietary and Confidential

18. NIST-Secure To Name a FewDODSSAWest Memphis PD, AZProprietary and Confidential

19. ISO-Secure To Name a FewTargetChoicepointJCPenneyProprietary and Confidential

20. SkydivingThink of a corporate risk assessment as a life threatening scenario to appropriately perceive itProprietary and Confidential

21. We have a parachute, what could go wrong?Proprietary and Confidential

22. Standards, Controls and SecurityPrimary ChuteReserve ChuteAutomatic Activation Device (A.A.D.)Reserve Static LineAltimeterHelmet/Goggles/JumpsuitTrained professional assistanceProprietary and Confidential

23. Layers of Safety Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground. Proprietary and Confidential

24. What are we protectingData breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009.The average total per-incident costs in 2009 were $6.75 million.A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center.Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident.Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively).Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential

25. What are we protectingToo many times we get focused on only our roles for an engagementProblems with independenceKnowledgeCheck list approachSource: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential

26. What are we protectingSource: DatalossDB.orgProprietary and Confidential

27. What are we protectingSource: DatalossDB.orgProprietary and Confidential

28. What are we protectingSource: DatalossDB.orgDatalossDB.orgProprietary and Confidential

29. Senior management should:Clearly support all aspects of the information security programImplement the information security program as approved by the board of directorsEstablish appropriate policies, procedures, and controlsParticipate in assessing the effect of security issues on the financial institution and its business lines and processesProprietary and Confidential

30. Senior management should:Delineate clear lines of responsibility and accountability for information security risk management decisionsDefine risk measurement definitions and criteriaEstablish acceptable levels of information security risksOversee risk mitigation activities.Proprietary and Confidential

31. ControlsInternal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulationsProprietary and Confidential

32. Controls - COSO Control EnvironmentRisk AssessmentInformation and CommunicationControl ActivitiesMonitoringProprietary and Confidential

33. ControlsInternal controls may be described in terms of: a) the objective they pertain to b) the nature of the control activity itself.Auditors understand this Information Technology people do not Business does not eitherProprietary and Confidential

34. Controls - COBITIT GovernanceStrategic AlignmentValue DeliveryRisk ManagementResource ManagementPerformance MeasurementProprietary and Confidential

35. Controls- CISSPAccess Control

36. Application Security

37. BCP/DR

38. Cryptography

39. Info Sec and Risk Management

40. Legal, Regulations and Compliance

41. Physical

42. Security Architecture and Design

43. Telecom and Network SecurityProprietary and Confidential

44. Controls - CISMInformation Security GovernanceInformation Risk ManagementInformation Security Program DevelopmentInformation Security Program ManagementIncident Management and ResponseProprietary and Confidential

45. SANS-GIACProprietary and Confidential

46. Controls - PCIBuild and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain Information Security PolicyProprietary and Confidential

47. Controls- ISO 27K27001 – ISMS27002 -Practices27003- implementation Guidance27004-Metrics27therest- defined up to 27037*27799-ISMS for Health SectorProprietary and Confidential

48. Controls – Planned OutProprietary and Confidential

49. Business BreakdownProprietary and Confidential

50. Frameworks for BusinessProprietary and Confidential

51. DID for BusinessProprietary and Confidential

52. Management, security, risk, audit, and compliance professionals should:Look beyond the standardDetermine whether it is sufficient to manage the related risks to the organizationA start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk. Proprietary and Confidential

53. The Bad GuysAnti ForensicsExploitsSocial EngineeringInsidersOutsidersProprietary and Confidential

54. Anti-ForensicsEncryption

55. Steganography

56. Disk Wiping

57. Signatures

58. Bootable Disks –Bart,BT,HELIX, OWASP, MOJO

59. Slacker, TimeStomp, Trasnmogrify, SAMJuicer

60. Everything run in Ram

61. Linux-Where tools don’t look-Rune, Waffen, KY, DataMuleProprietary and Confidential

62. ExploitsSpear-PhishingPhishingPharmingCross Site anythingSpoofingSQL InjectionPatch Proprietary and Confidential

63. HighNew Internet AttacksPacket Forging& SpoofingStealth DiagnoticsSophistication of Hacker ToolsDDOSSniffersSweepersHijacking SessionsBack DoorsTechnical KnowledgeRequiredSelf-Replicating CodePassword CrackingPassword GuessingTime[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]Proprietary and Confidential

64. Social Engineering“Social Engineer Specialist” Because there is no patch for human stupidity- DeFconTshirtThe art of utilizing human behavior to breach security without the participant even realizing they have been manipulated. Proprietary and Confidential

65. Social EngineeringTechnical –Google, Maltego, PiPLNon-Technical-Poor Physical ControlsLack of Security Awareness TrainingLack of Policies and ProceduresWeak Employee ScreeningLack of Management SupportPoor Controls on Data Proprietary and Confidential

66. Social EngineeringPeople are the weakest linkDesire to be helpfulFear of getting in troubleTendency to trustDesire to be successfulProprietary and Confidential

67. Social EngineeringPath of least resistanceProprietary and Confidential

68. InsiderMotivators-The Dark SideProfitRevengeFameProprietary and Confidential

69. InsiderMotivators-Good Doing BadEvolving LoyaltiesJob ChangeManagement ChangeCompany ChangeMisdirection/Social EngineeringInfluenceProprietary and Confidential

70. Insider-Telltale SignsInsiders already have accessInsiders just need intentProprietary and Confidential

71. Insider-Watch ForSome Kind of ActivityRevealing information not directly observableNoticedSignificance Recognized Proprietary and Confidential

72. Insider-HRMonitoring included in PolicyClearly defined processes to include HR, Legal, Security and ManagementUnderstand the evolving privacy statutory requirementsProprietary and Confidential

73. Outsider HactivismSKIDDIESProfitRevengeFameProprietary and Confidential

74. Risk ModelingKnow your Risk Formulas (ALE=AROxSLE)(EV*AV)SusceptibilityImpactRisk = MaterialityProprietary and Confidential

75. Threat Modeling Attacker - CentricSoftware - CentricAsset - CentricProprietary and Confidential

76. Attack MethodologyPhase I: Reconnaissance Phase II: Enumeration Phase III: Vulnerability Analysis Phase IV: ExploitProprietary and Confidential

77. Attack MethodologyProprietary and Confidential

78. Case Study #1:Defense ContractorInvestigationData LeakageResultsTargeted Spear PhishingBreakdownAVDLPFirewall/IDSIncident responseProprietary and Confidential

79. Case Study #2:InsuranceInvestigation Data LeakageResultsLoss of ACL, Passwords, Intellectual CapitalBreakdownSecurity AwarenessImproper Access ControlDLPIDS/IPS/HIDSProprietary and Confidential

80. Case Study #3:HealthcareInvestigationOutside HackResults Loss of proprietary informationLoss of reputationCompany ended up closing shopBreakdownInternal IT Violated controls set in place through HiPAAProprietary and Confidential

81. Questions and AnswersMichael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.comProprietary and Confidential

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

Related slideshows

More Related Content

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

Editor's Notes